ah. There lies the great challenge for most of us hackno-geeks. We think of
these things as "political" - meaning bad or unimportant.
The real issue is relationships. As technology professionals all we have is
knowledge and relationships. This is where management and leadership skills
are so important. Clearcase professionals need to be Quality Leaders! We all
need to pick our battles. Sometimes we decide it's not worth destroying a
relationship and at other times we choose the "hill to die on". :-)
What I am trying to say is that there is no easy answer to this
issue. I prefer to be part of the sysadmin team when possible. this keeps me
in the loop and helps me maintain my skills.
Regards.
Bob
> -----Original Message-----
> From: Scott Mackillip [SMTP:mmackill@aud.alcatel.com
> Sent: Friday, January 28, 2000 10:41 AM
> To: Greg Dickie
> Cc: EXTERN Chapman Roy (WA-Consultants; K5/ESQ1); ClearCase User Group
> Subject: Re: AW: [cciug] vobadm vs root
>
>
> I concur 100%. The difficulty I am facing in my current environment is
> that
> politically there are several distinct groups that have done the ClearCase
> admin
> independently for some time now. My group (a software support group, not
> system
> admins) is trying to consolidate the CC admin efforts -- to augment the
> current CC
> administrative abilities. Up till now, the CC admins have not had root
> access of
> any kind. It seems to be functioning fine for all the distinct groups.
>
> With one central admin point, it would be beneficial for them to have
> access to
> some commands as root, to facilitate the CC admin. All this is understood
> by the
> folks on this list.
>
> The real problem I am facing is political, so to arm myself with "best
> practices"
> and real-world experience will definitely form the basis of my
> argument/proposal to
> management for the sudo access.
>
>
> Greg Dickie wrote:
>
> > A good relationship between the CC admin and the sysadmins is absolutely
> > essential (in my case, I lead the sysadmins). For me the idea behind
> sudo
> > is not too block access to root since I'm sure some malicious hacker
> would
> > be able to circumvent it, the idea is to make it more difficult to screw
> > up since you don't need to have a root shell open all the time. As I
> said,
> > the sysadmins here work for me and I hardly ever have a root shell open,
> > much safer.
> >
> > Greg
> >
> > On Fri, 28 Jan 2000, Scott Mackillip wrote:
> >
> > > Date: Fri, 28 Jan 2000 08:21:08 -0600
> > > From: Scott Mackillip <mmackill@aud.alcatel.com>
> > > To: "EXTERN Chapman Roy (WA-Consultants; K5/ESQ1)"
> <Roy.Chapman@de.bosch.com>,
> > ClearCase User Group <cciug@Rational.Com>
> > > Subject: Re: AW: [cciug] vobadm vs root
> > >
> > >
> > > My only question now is: once you give me sudo to cleartool, can't I
> run a
> > > shell-out from the cleartool and have a shell running as root?
> > >
> > > does that not defeat the whole idea of sudo?
> > >
> > > If this is the case, and there really is a limited number of UNIX
> commands for
> > > troubleshooting clearcase as root, what is that limited number of
> commands?
> > >
> > > I apologize if I'm belaboring the point, but I feel that a strong
> relationship
> > > between the Sys Admin team and the ClearCase Admin team is necessary
> for a
> > > cohesive and cooperative work environment. I don't want to have to run
> to the
> > > Sys Admin each time I need to troubelshoot a user's problem, or
> restart
> > > clearcase. In short, I don't want to pester the Sys Admins to the
> point that
> > > they roll their eyes and inwardly (or outwardly!) groan each time they
> see me.
> > >
> > > Regards,
> > >
> > > Scott
> > >
> > > "EXTERN Chapman Roy (WA-Consultants; K5/ESQ1)" wrote:
> > >
> > > > I disagree, it is not pointless trying to restrict root. Suggest
> you work
> > > > for a Bank and express that opinion.
> > > >
> > > > I do agree with you though that a small number of Unix commands
> could be
> > > > used to hack the system. But, if we are sensible about this, we
> don't need
> > > > these command as a Clearcase Administrator. I would suggest that
> sudo
> > > > access to cleartool and "sh /etc/rc2.d/S77atria" would suffice.
> Yes, I am
> > > > sure that additional commands are required on a daily basis, but
> that's what
> > > > we have Unix Administrators for. A root shell is a dangerous
> weapon, I
> > > > doubt that there is a user on this list who has been given root
> access in
> > > > the past and not accidentally rebooted a system or removed something
> they
> > > > shouldn't of. And if you haven't, give it time. Sudo makes access
> to root
> > > > commands a pain, in the same way that keeping a loaded weapon in a
> safe
> > > > makes access more difficult.
> > > >
> > > > Roy Chapman
> > > > External Consultant
> > > >
> > > > Robert Bosch GmbH * (00 49) 0711/811-31795 / GSM (00 49)
> > > > 0173/4887139
> > > > K5/ESQ * (00 49) 0711/811-31800
> > > > Postfach 20 02 40 * mailto:roy.chapman@de.bosch.com
> > > > D-70442 Stuttgart
> > > >
> > > > > ----------
> > > > > Von: Christian Goetze[SMTP:cg@digisle.net
> > > > > Gesendet: Donnerstag, 27. Januar 2000 20:12
> > > > > An: Scott Mackillip
> > > > > Cc: ClearCase User Group
> > > > > Betreff: Re: [cciug] vobadm vs root
> > > > >
> > > > >
> > > > > I think restricting sudo is silly - since it is trivial to bypass
> any
> > > > > restrictions if sudo is to have any use at all (e.g. one of the
> most
> > > > > common commands I run as sudo is chmod, and once you give me
> chmod...).
> > > > >
> > > > > Since root exploits for clearcase machines are available and well
> known
> > > > > among crackers, it is pointless to attempt to protect root. What
> you
> > > > > should do instead is to reduce the risk of accidental or trivial
> errors,
> > > > > and in addition gain the benefit of logging and the use of your
> own
> > > > > password. That's what sudo is really good for...
> > > > >
> > > > > If you are in a sensitive environment, you need to set up
> different
> > > > > security procedures that take the vulnerability of Clearcase
> machines into
> > > > > account. I use the following policy:
> > > > >
> > > > > Sensitive machines treat ClearCase machines like external
> Machines (no
> > > > > trust).
> > > > >
> > > > > ClearCase machines trust all internal machines (no hassles with
> > > > > distributed builds etc)
> > > > >
> > > > > Nobody trusts external machines (duh).
> > > > >
> > > > > ClearCase machines should be used exclusivly for development and
> > > > > testing on non-sensitive data sets. Consider that anyone who
> obtains
> > > > > a normal login on a Clearcase machine already has the "loot"
> (i.e.
> > > > > your source code). Protecting root in addition to that adds
> nothing.
> > > > >
> > > > > Special attention should be given to the possibility of Trojan
> horses
> > > > > being migrated from the relativly insecure development network
> into
> > > > > the secure production network. Use code review and checksums...
> > > > >
> > > > > --
> > > > > cg
> > > > >
> > > > >
> > > > > On Thu, 27 Jan 2000, Scott Mackillip wrote:
> > > > >
> > > > > >
> > > > > > All,
> > > > > >
> > > > > > I have been following the conversation closely, as I don't have
> root
> > > > > > access at my current site. I am in the process of putting
> together a
> > > > > > proposal for sudo access for the commands that will be needed,
> and have
> > > > > > a couple of questions for you all.
> > > > > >
> > > > > > Does anyone have a list of the commands that would require root
> access?
> > > > > > (I can generate the list, but if someone has that already done,
> why
> > > > > > re-invent the wheel?)
> > > > > >
> > > > > > Is it easier to just ask for sudo for cleartool, and then shell
> out to
> > > > > > accomplish the required task as root? Will sudo log this
> behavior so the
> > > > > > system administrators have a log/trail should something go awry?
> > > > > >
> > > > > > Or would it be better to just ask for sudo for the commands
> needed one
> > > > > > at a time?
> > > > > >
> > > > > > What about troubleshooting a user's view? How do you go about
> getting
> > > > > > access to su to another user without knowing their password?
> > > > > >
> > > > > > Thanks for any help in this!
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Scott MacKillip
> > > > > >
> > > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > > > > >
> > > > > > can also
> unsubscribe
> > > > > >
> > > > > >
> http://clearcase.rational.com/cciug/mailing_list.html
> > > > > >
> > > > >
> > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > > > >
> > > > > can also
> unsubscribe
> > > > >
> > > > > http://clearcase.rational.com/cciug/mailing_list.html
> > > > >
> > >
> > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > >
> > > can also
> unsubscribe
> > >
> > > http://clearcase.rational.com/cciug/mailing_list.html
> > >
> >
> > ---------------------------------------------------------------------
> > Greg Dickie
> > Just A Guy*
> > *from discreet (the logic is gone)
> > Montreal
> > (514) 954-7171
> > greg@discreet.com
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation,
offer or agreement or any information about any transaction, customer
account or account activity contained in this communication.
***********************************************************************
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This archive was generated by hypermail 2b29 : Sun May 06 2001 - 00:22:40 EDT